CADNA and BBB Roll Out FUD Campaign to SOPA-Size ACPA

Using the impending launch of new gTLDs as a rationale, The Coalition Against Domain Name Abuse (CADNA) has teamed up with the Council of Better Business Bureaus (BBB) to launch a month-long “‘Know Your Net’ gTLD public awareness campaign”[1]. Their goal is to enact amendments to the U.S. Anti-Cybersquatting Consumer Protection Act (ACPA) that would expand the law’s coverage beyond domain registrants by creating secondary liability for domain system intermediaries like registries and registrars, increase statutory damages penalties for all targets, and establish a ‘loser pays’ regime that favors deep-pocket corporate litigants. If such a proposal was enacted it would vastly increase the litigation leverage of trademark owners and tilt the playing field against defendants in a manner that would result in a high probability of domain shutdown without any final verdict from a court. In short, it’s a SOPA-like proposal grounded in trademark rather than copyright.

CADNA kicked off the campaign at a September 18th Washington event featuring remarks from Rep. Tom Marino (R-PA), Vice Chair of the House Judiciary Subcommittee on Courts, Intellectual Property, and the Internet. According to press reports, Marino said “I’m sure there will be hearings” to address the protection of trademark rights in the context of ICANN’s new gTLD program, adding:

“There are still many senior members in the House and Senate that simply rely on their staff concerning anything to do with computers or the Internet. They have a rough time figuring out how to turn the computer on, let alone what the ramifications are. We have to make sure we have all the players at the table, we have all the information, and we do what is going to be most efficient and the most effective. We’re determined to do this right.”

While we share CADNA’s condemnation of cybersquatting, we are not convinced that any expansion of ACPA is required, especially if the legislation is based on a Fear, Uncertainty, and Doubt (FUD) campaign of questionable information and unsupported projections. For example, CADNA Director Josh Bourne predicted at the event that cybersquatting would “explode by at least 2,500 percent” due to the new gTLD program. We have no idea what crystal ball produced that projection of a 25-fold increase, since the cybersquatters generally target multi-million registration TLDs because they rely on a high volume of type-in traffic — and that’s unlikely at new gTLDs when most Internet users remain largely unaware of them, with many new registries facing a major marketing challenge in simply attracting sufficient registrants to stay afloat.

Even when CADNA’s statistics have more grounding, they don’t lead to a logical conclusion that ACPA amendments would have any material effect on a real problem. For example, at the kick-off event Bourne noted that phishing activities cost banks and credit card issuers $2.8 billion yearly, and cybercrime costs global businesses over $500 billion, according to a July study from the Center for Strategic and International Studies. That same theme is evident at CADNA’s “What is Cybersquatting?” webpage[2], where this statement appears:

Cybersquatting has evolved over the past decade into a sophisticated form of online cybercrime. Brand owners lose resources that could be better spent towards innovation and job creation to such cybersquatting schemes as:

· Phishing: There were 118,073 unique phishing websites detected in the first three months of 2013. Theft through phishing activities costs U.S. banks and credit card issuers an estimated $2.8 billion each year (sources: AntiPhishing Working Group and BrandProtect).

While citing the AntiPhishing Working Group (APWG) as a source, CADNA’s use of their data is selectively incomplete in a manner that would misinform anyone relying solely upon it. In fact, the latest, just-released APWG report tells us that of the 53,685 phishing domains it identified, only 12,173 (22.7%) were believed to have been directly registered by phishers, with the remainder belonging to compromised web servers that had been hacked into by cybercriminals.[3] APWG also estimated that sixty-eight percent of phishing domain registrations were undertaken by parties based in China, who are of course outside U.S. jurisdiction and for whom the proposed amendments to the ACPA would have no effect. Further, according to APWG, the number of phishing domains that actually contain a brand or a variation of a brand – that is, the type that are subject to ACPA – was only 1,244 (2.3%). That figure remains about the same as it was in 2012, when APWG said this:

Most maliciously registered domain strings offered nothing to confuse a potential victim.Placing brand names or variations thereof in the domain name itself is not a favored tactic, since brand owners are proactively scanning Internet zone files for such names.

As we have observed in the past, the domain name itself usually does not matter to phishers, and a domain name of any meaning, or no meaning at all, in any TLD, will usually do.

Instead, phishers almost always place brand names in subdomains or subdirectories. This puts the misleading string somewhere in the URL, where potential victims may see it and be fooled. Internet users are rarely knowledgeable enough to be able to pick out the “base” or true domain name being used in a URL. (Emphasis added)

So, when all the APWG data is considered, it becomes clear that criminal phishing activities provide no rationale for ACPA amendments. That’s because only 1 in 5 phishing sites is based in a bona fide domain registration, only 1 in 50 is related to “typosquatting” – and at least two-thirds of the bad actors connected with them are beyond the powers of U.S. courts. (Sure, an ACPA case includes an in rem ability to seize a domain associated with a U.S. registry or registrar, but that’s of no deterrence to phishers whose scams generally go on for just a few days before relocating to the next domain of convenience.)

A similar tendency to play fast and loose with facts and logic is evident in the justification of one of
the key components of CADNA’s legislative amendment agenda, which is to raise the minimum statutory damages for a single violation of the ACPA by 2,500 percent, from $1,000 to $25,000. CADNA’s rationale for that immodest increase is[4]:

Under current law, cybersquatters face statutory damages of between $1,000 and $100,000 per domain name. The courts have, however, generally awarded limited damages closer to $1,000 per domain name.

When we look at one recent major verdict awarded under the ACPA that statement also does not withstand scrutiny. In March 2013 Facebook won an ACPA case in the U.S. District Court for Northern California and was awarded statutory damages of $2,795,000 from the operators of 105 domains found to be infringing. That works out to $26,619 per domain, or more than $1,000 more than the statutory minimum sought by CADNA. The verdict illustrates that federal judges have and will use their existing latitude to award damages far above the current statutory minimum of $1,000 when they deem it appropriate. CADNA’s amendment would take away that judicial flexibility to levy the current minimum – which is still considerable amount for a single domain — when it is determined that there is a technical violation of the statute, but that the facts do not justify a higher financial penalty on top of the forfeiture of the infringing domain.

Higher statutory minimums for ACPA cases would undoubtedly have the same effect they now have in copyright litigation, where defendants with meritorious arguments nonetheless surrender up front because they simply cannot take on that financial in addition to the high cost of retaining competent defense counsel. And CADNA’s “loser pays” proposal – that “the court shall assess against the defending party reasonable attorney fees and other litigation costs reasonably incurred in the course of the case to be paid to the complainant” – would further increase the odds that a well-heeled corporate complainant could prevail in a ACPA case simply by filing a lawsuit (or just threatening to do so) by piling on the potential financial loss faced by the defendant, who is often an individual or small business of limited means.

Of course, under CADNA’s proposal this potential financial jeopardy would be faced by parties far beyond the domain registrant, as they also want to “Establish liability against an affiliate, representative, or any other person or entity that is in active concert or participation with the registrant, including but not limited to a domain name registrar or domain name registry.” Potential liability would also accrue to “Internet parking pages, pay-per-click advertising, and other monetization schemes”. In other words, not just domain industry participants but everyone else involved in the Internet business ecosystem, including ad providers and payments processors, would be brought under ACPA jurisdiction if CADNA had its way. As we saw with the rightfully failed SOPA legislation, secondary liability would either vastly expand the potential windfall to litigants or cause these service providers to cut off domains at even the hint of a lawsuit, depriving registrants of the very domain-generated income required to fund litigation defense when they believe the allegations against them are bogus.

CADNA also seems to have a problem keeping its cost estimates for defensive registrations at new gTLDs consistent. In an article just published on the BBB website, Mr. Bourne writes[5], “If businesses register as aggressively [as they did at the .XXX adult content TLD] in all of the new ‘open’ gTLDs, they will be forced to spend almost $10 billion. Clearly, that is a non-starter. Stronger cybersquatting laws are essential to bridging that gap.” Yet at its own website it concedes that the figure is likely to be substantially less[6], “Domain name registrations in the new gTLDs likely will be lower than they where (sic) in .XXX. But even a quarter of the .XXX number of registrations would cost about $2.4 billion.” Now even $2.4 billion is a lot of money – but no one believes that major businesses will or need to make defensive registrations in all of the new open gTLDs, not to mention the specialty label variety, or the “closed generics” or “restricted registration” types they will be barred from, so all these projections are nothing more than self-serving guesswork accompanied by ad hoc rationalization.

Further, just a minute’s reflection leads one to believe that even the $2.4 billion estimate is vastly exaggerated. According to the most recent April 2013 VeriSign Domain Name Industry Brief[7] there were 252 million registered domains at the end of 2012, of which about half (121 million) were in .Com or .Net. The average annual registration fee for a .Com or .Net domain is less than $10 – but let’s go high and assume that the average annual fee for all existing domains is $10. If that’s close to correct, then the annual global total for all domain registration fees is $2.52 billion – so is it even close to credible that defensive registration costs at new gTLDs will be about the same?

Additionally, CADNA’s advocacy efforts neglect to mention the multiple new trademark protections built into the new gTLD program at the behest of the IP sector. The Trademark Clearinghouse permits the registration not just of a registered copyright but of up to fifty variations that were previously abused. That listing serves a variety of purposes, including the generation of a Trademark Notice warning to potential registrants at new gTLDs. There will also be availability of the new Uniform Rapid Suspension (URS) arbitration process at a fraction of the cost of a traditional UDRP. In addition, many of the parties that CADNA wants to target for secondary liability already provide administrative means for rights holders to shut down clear-cut infringement without even filing a UDRP action, much less incurring litigation costs.

Finally, CADNA statements that seek to raise the anxiety level of the public and policymakers, such as “The imminent addition of new gTLDs such as .BANK and .DOCTOR – in which anyone may purchase a second-level domain – adds to the urgency for muscular, legal deterrents against cybersquatting.”[8], also give an incomplete picture. An uninformed reader (or Member of Congress) would hardly know that many new gTLDs have the potential to substantially reduce cybercrime, such as a banking industry proposal for a .Bank gTLD where high-security domains would only be available to regulated financial intermediaries to reduce phishing and other scams. There’s also no mention that ICANN is still considering adoption of additional safeguards proposed by its Governmental Advisory Committee (GAC) that would apply across-the-board to all new gTLDs associated with regulated industries and professions. CADNA is surely aware of these developments, as it is associated with and shares Washington, DC offices with Fairwinds Partners, which through its gTLD Strategy Services[9] has assisted corporate clients in making .Brand and “restricted registration” new gTLD applications into the very ICANN program that CADNA cites as the reason for Congress to rush through trademark law amendments before there is any documented evidence of the actual incidence of infringement and cybercrime at new gTLDs.

We share CADNA’s condemnation of trademark infringement, much less felonious cyber-criminal activities. But it would be irresponsible for Congress to amend ACPA in advance of comprehensive, data-backed analysis of the actual scope of these problems at new gTLDs — data that will be available only after they commence operation. It’s important that Congress be careful and deliberative in considering any such proposal to alter the treatment of Internet IP rights — as not only does the U.S. tend to set legal trends in cyberlaw, but CADNA has made clear that they view ACPA revisions as just a first step in a global cyber-policy strategy, declaring, “Cybersquatting is an international problem and thus the solution must also be international. CADNA intends to extend its advocacy to other nations once it has succeeded in the U.S.”[10]

If a bill along the lines of what CADNA proposes is actually introduced in Congress we would hope that the registries, registrars, and other private sector parties it targets will inform Congress of why it is overbroad and unjustified, rather than seek carve-out exemptions that abandon their domain registrant customers – the broad domain industry will need to speak out in a unified voice of opposition. Hopefully, the same Netizen community that killed off SOPA will react accordingly to this latest variation. We would also expect ICANN to get up on Capitol Hill and explain why CADNA’s allegations are myopically overwrought. And, needless to say, ICA will continue to set the record straight and engage as necessary to assure that domain-related trademark law remains even-handed and proportionate rather than facilitating litigation abuse against the broad domain industry.